SSH stuff... (from slashdot)
Is this true? -Forward The privilege separation code in OpenSSH 3.3 does not work with 2.2 Linux kernels. It relies on mmap() semantics that aren't supported before kernel 2.4 (maybe 2.3.x). OpenSSH will configure, compile, and install successfully. It will start up, but it will NOT accept connections. Your clients will get a broken pipe message, your syslog will get an mmap: invalid parameter message. The solutions are: Upgrade to kernel 2.4 or higher. Don't compile in Privilege Separation. You might be able to compile privsep in and disable it, but I couldn't get this to work. Maybe I had a typo in my config file. I dunno. I didn't see this anywhere until I dug into my syslog and then the OpenSSH mailing list. You have been warned. If you do have kernel 2.4, you should read README.privsep in the openssh source distro, since you need to create a special directory and user/group for this (which also bit me in the butt...even if sshd had worked on 2.2, when I restarted it remotely, it didn't come back up because it didn't have that user...yeah, yeah, rtfm. :) ) - End forwarded message - pgpoqxihXPPul.pgp Description: PGP signature
Re: SSH stuff... (from slashdot)
On Tue, Jun 25, 2002 at 08:34:12AM -0400, Matthew Daubenspeck wrote:
Is this true?
-Forward
The privilege separation code in OpenSSH 3.3 does not work with 2.2 Linux
kernels.
Yes, but only if you enable compression. Turn that off ('Compression no'
in /etc/ssh/sshd_config) and I'm told it works.
If you do have kernel 2.4, you should read README.privsep in the openssh
source distro, since you need to create a special directory and user/group
for this (which also bit me in the butt...even if sshd had worked on 2.2,
when I restarted it remotely, it didn't come back up because it didn't have
that user...yeah, yeah, rtfm. :) )
You don't have to do this manually with the Debian security update.
--
Colin Watson [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH stuff... (from slashdot)
On Tue, Jun 25, 2002 at 08:34:12AM -0400, Matthew Daubenspeck wrote: Is this true? According to Wichert Akkerman on debian-security: Actually our package contains a patch from Solar Designer to make privsep work on 2.2 kernels. It might still be broken on 2.0 kernels though, but I have no concrete information on that. Rob -Forward The privilege separation code in OpenSSH 3.3 does not work with 2.2 Linux kernels. It relies on mmap() semantics that aren't supported before kernel 2.4 (maybe 2.3.x). OpenSSH will configure, compile, and install successfully. It will start up, but it will NOT accept connections. Your clients will get a broken pipe message, your syslog will get an mmap: invalid parameter message. The solutions are: Upgrade to kernel 2.4 or higher. Don't compile in Privilege Separation. You might be able to compile privsep in and disable it, but I couldn't get this to work. Maybe I had a typo in my config file. I dunno. I didn't see this anywhere until I dug into my syslog and then the OpenSSH mailing list. You have been warned. If you do have kernel 2.4, you should read README.privsep in the openssh source distro, since you need to create a special directory and user/group for this (which also bit me in the butt...even if sshd had worked on 2.2, when I restarted it remotely, it didn't come back up because it didn't have that user...yeah, yeah, rtfm. :) ) - End forwarded message - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
